Decidability January 16, 2014 Slide 1 ECS 235B, Foundations of - - PowerPoint PPT Presentation
Outline Security Protection Systems Decidability January 16, 2014 Slide 1 ECS 235B, Foundations of Information and Computer Security January 16, 2014 Outline Security Protection Systems 1 Security Mono-operational command case General
Outline Security Protection Systems
January 16, 2014
Slide 1 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems
1 Security
Mono-operational command case General case
2 Protection Systems
Take-Grant Systems SPM
Slide 2 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems
Leaking Adding a generic right r where there was not one is leaking Safe If a system S, beginning in initial state s0, cannot leak right r, it is safe with respect to the right r. Here, “safe” = “secure” for an abstract model
Slide 3 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems
Safety Question Does there exist an algorithm for determining whether a protection system S with initial state s0 is safe with respect to a generic right r?
Slide 4 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Mono-operational command case
Answer: Yes! Proof sketch: Consider minimal sequence of commands c1, . . . , ck to leak the right Can omit delete, destroy Can merge all creates into one Worst case: insert every right into every entry; with s subjects, o
Slide 5 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Mono-operational command case
Consider minimal sequences of commands (of length m) needed to leak r from system with initial state s0
Identify each command by the type of primitive operation it invokes
Cannot test for absence of rights, so delete, destroy not relevant
Ignore them
Reorder sequences of commands so all creates come first
Can be done because enters require subject, object to exist
Commands after these creates check only for existence of right
Slide 6 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Mono-operational command case
It can be shown (see exercise):
Suppose s1, s2 are created, and commands test rights in A[s1, o1], A[s2, o2] Doing the same tests on A[s1, o1] and A[s1, o2] = A[s1, o2] ∪ A[s2, o2] gives same result Thus all creates unnecessary
Unless s0 is empty; then you need to create it (1 create)
In s0:
|S0| number of subjects, |O0| number of objects,n number of (generic) rights
In worst case, 1 create
So a total of at most (|S0| + 1)(|O0| + 1) elements
So m ≤ n(|S0| + 1)(|O0| + 1)
Slide 7 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems General case
Answer: No Proof sketch:
1 Show arbitrary Turing machine can be reduced to safety
problem
2 Then deciding safety problem means deciding the halting
problem
Slide 8 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems General case
Infinite tape in one direction States K, symbols M, distinguished blank b / State transition function δ(k, m) = (k′, m′, L) in state k with symbol m under the TM head replace m with m′, move head left one square, enter state k′ Halting state is qf
Slide 9 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems General case
Turing machine access control matrix representation
1 2 3 4 · · ·
A B C D · · · ↑ k
⇒
s1 s2 s3 s4 · · · s1 A
s2 B
s3 C k
s4 D e · · · . . . . . . . . . . . . . . . ... Turing machine with head over square 3 on tape, in state k and its representation as an access control matrix
e is end right
Slide 10 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems General case
Turing machine access control matrix representation
1 2 3 4 · · ·
A B X D · · · ↑ k1
⇒
s1 s2 s3 s4 · · · s1 A
s2 B
s3 X
s4 D k1 e · · · . . . . . . . . . . . . . . . ... After δ(k, C) = (k1, X, R), where k is the previous state and k1 the current state
Slide 11 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems General case
δ(k, C) = (k1, X, R) at intermediate becomes: command ck,C (si ,si+1) i f
and k in A[ si ,si ] and C in A[ si ,si ] then delete k from A[ si ,si ] ; delete C from A[ si ,si ] ; enter X into A[ si ,si ] ; enter k1 into A[ si+1 ,si+1 ] ; end
Slide 12 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems General case
Turing machine access control matrix representation
1 2 3 4 5
A B X Y b / ↑ k2
⇒
s1 s2 s3 s4 s5 s1 A
B
X
Y
k2 e After δ(k1, D) = (k2, Y, R), where k1 is the previous state and k2 the current state
Slide 13 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems General case
δ(k1, D) = (k2, Y, R) at intermediate becomes: command crightmost k,D (si ,si+1) i f e in A[ si ,si ] and k1 in A[ si ,si ] and D in A[ si , si ] then delete e from A[ si ,si ] ; create subject si+1 ; enter o into A[ si ,si+1 ] ; enter e into A[ si+1 ,si+1 ] ; delete k1 from A[ si ,si ] ; delete D from A[ si ,si ] ; enter Y into A[ si ,si ] ; enter k2 into A[ si+1 ,si+1 ] ; end
Slide 14 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems General case
Protection system exactly simulates a Turing machine
Exactly 1 end (e) right in access control matrix 1 right in entries corresponds to state Thus, at most 1 applicable command
If Turing machine enters state qf , then right has leaked If safety question decidable, then represent TM as protection system and determine if qf leaks
This implies halting problem is decidable
Conclusion: safety question undecidable
Slide 15 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems General case
Set of unsafe systems is recursively enumerable Delete create primitive; then safety question is complete in P-SPACE Delete destroy, delete primitives; safety question is still undecidable
Such systems are called monotonic
Safety question for monoconditional, monotonic protection systems is decidable Safety question for monoconditional protection systems with create, enter, delete (and no destroy) is decidable
Slide 16 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
A specific (not generic) system
Set of rules for state transitions
Safety decidable, and in time linear with the size of the system Goal: find conditions under which rights can be transferred from one entity to another in the system
Slide 17 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
⊗ don’t care (either a subject or an object) G ⊢x G ′ apply rewriting rule x (witness) to G to get G ′ G ⊢∗ G ′ apply a sequence of rewriting rules (witness) to G to get G ′ R = {t, g, . . .} set of rights
Slide 18 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
In these rules, β ⊆ α ⊆ R take rule x
⊗ z ⊗ t α ⊢ x
⊗ z ⊗ t α β grant rule x ⊗ y
⊗ g α ⊢ x ⊗ y
⊗ g α β
Slide 19 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
create rule x
x
⊗ t remove rule x
⊗ α ⊢ x
⊗ α − β These four rules are the de jure rules
Slide 20 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
x
⊗ g α ⊢ x
⊗ g α β x
⊗ t α ⊢ x
⊗ g α β
Slide 21 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
x• y
⊗ v g α tg
1 x creates (tg to new) v
Slide 22 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
x• y
⊗ v g α tg g
1 x creates (tg to new) v 2 x grants (g to v) to y
Slide 23 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
x• y
⊗ v g α tg g β
1 x creates (tg to new) v 2 x grants (g to v) to y 3 y grants (β to z) to v
Slide 24 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
x• y
⊗ v g α tg g β β
1 x creates (tg to new) v 2 x takes (g to v) from x 3 y grants (β to z) to v 4 x takes (β to z) from v
Slide 25 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
tg-path: path of distinct vertices connected by edges labeled t
Call them tg-connected
island: maximal tg-connected subject-only subgraph
Any right that a vertex in the island has, can be shared with any other vertex in the island
Slide 26 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
initial span from x to y: x can give rights it has to y
xsubject tg-path between x, y with word in {− → t∗− → g } ∪ {ν}
terminal span from x to y: x can get rights y has
xsubject tg-path between x, y with word in {− → t∗} ∪ {ν}
Slide 27 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
bridge tg-path between subjects x, y, with associated word in {− → t∗, ← − t∗, − → t∗− → g ← − t∗, − → t∗← − g ← − t∗}
rights can be transferred between the two endpoints not an island as intermediate vertices are objects
Slide 28 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
p• u
w
y
s q t t g g t g t r islands: {p, u}, {w}, {y, s′} bridges: u, v, w; w, x, y initial span: p (associated word ν) terminal span: s′s (associated word − → t )
Slide 29 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
can·share(r, x, y, G0) holds if, and only if, there is a sequence of protection graphs G0, . . . , Gn such that G0 ⊢∗ Gn using only de jure rules and in Gn there is an edge from x to y labeled r
Slide 30 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
can·share(r, x, y, G0) holds if, and only if, there is an edge from x to y labeled r in G0, or the following hold simultaneously: there is an s in G0 with an s-to-y edge labeled r; there is a subject x′ = x or x′ initially spans to x; there is a subject s′ = s or s′ terminally spans to s; and there are islands I1, . . . , Ik connected by bridges, x′ is in I1, and s′ is in Ik
Slide 31 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
1 s has r rights over y 2 s′ acquires r rights over y from s
Definition of terminal span
3 x′ acquires r rights over y from s′
Repeated application of sharing among vertices in islands, passing rights along bridges
4 x′ gives r rights over y to x
Definition of initial span
Slide 32 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
Access control matrix is generic
Can be applied in any situation
Take-Grant has specific rules, rights
Can be applied in situations matching rules, rights
What states can evolve from a system that is modeled using the Take-Grant Protection Model?
Slide 33 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
p
s• q
g g r,w r,w Goal: p, q to communicate through shared buffer b controlled by trusted entity s
Slide 34 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
p
s• q
b g g r,w r,w r,w Goal: p, q to communicate through shared buffer b controlled by trusted entity s
1 s creates ({r, w} to) new object b
Slide 35 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
p
s• q
b g g r,w r,w r,w r,w Goal: p, q to communicate through shared buffer b controlled by trusted entity s
1 s creates ({r, w} to) new object b 2 s grants ({r, w} to b) to p
Slide 36 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems Take-Grant Systems
p
s• q
b g g r,w r,w r,w r,w r,w Goal: p, q to communicate through shared buffer b controlled by trusted entity s
1 s creates ({r, w} to) new object b 2 s grants ({r, w} to b) to p 3 s grants ({r, w} to b) to q
Slide 37 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
Protection type: entity label determining how control rights affect the entity
Set at creation and cannot be changed
Ticket: description of a single right over an entity
Entity has sets of tickets (called a domain) Ticket is X/r, where X is entity and r right
Functions determine rights transfer
Link: are source, target “connected”? Filter: is transfer of ticket authorized?
Slide 38 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
Idea: linki(X, Y) if X can assert some control right over Y Conjunction of disjunction of:
X/z ∈ dom(X) X/z ∈ dom(Y) Y/z ∈ dom(X) Y/z ∈ dom(Y) true
Slide 39 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
Take-Grant: link(X, Y) = Y/g ∈ dom(X) ∨ X/t ∈ dom(Y) Broadcast: link(X, Y) = X/b ∈ dom(X) Pull: link(X, Y) = Y/p ∈ dom(Y)
Slide 40 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
Range is set of copyable tickets
Entity type, right
Domain is subject pairs Copy a ticket X/r:c from dom(Y) to dom(Z)
X/rc ∈ dom(Y) linki(Y, X) τ(Y)/r:c ∈ fi(τ(Y), τ(Z))
One filter function per link predicate
Slide 41 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
fi(τ(Y), τ(Z)) = T × R Any ticket can be transferred (if other conditions met) fi(τ(Y), τ(Z)) = T × RI Only tickets with inert rights can be transferred (if other conditions met) fi(τ(Y), τ(Z)) = ∅ No tickets can be transferred
Slide 42 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
TS = { subjects }, TO = { objects } RC = { tc, gc }, RI = { rc, wc, . . . } link(p, q) = p/t ∈ dom(q) ∨ q/g ∈ dom(p) f (subject, subject) = { subject, object } × { tc, gc, rc, wc }
Slide 43 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
Must handle type, tickets of new entity Relation cc(a, b): subject of type a can create entity of type b
cc for can create
Rule of acyclic creates: a b c d a b c d
Slide 44 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
cr(a, b): tickets created when subject of type a creates entity
cr for create rule
B object: cr(a, b) ⊆ {b/r:c ∈ RI}
A gets B/r:c if and only if b/r:c ∈ cr(a, b)
Bsubject: cr(a, b) has 2 subsets
crP(a, b) added to A, crC(a, b) added to B A gets B/r:c if and only if b/r:c ∈ crP(a, b) B gets A/r:c if and only if a/r:c ∈ crC(a, b)
Slide 45 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
cr(a, a): who gets what?
self /r:c are tickets for creator a/r:c are tickets for created entity
cr(a, a) = { a/r:c, self /r:c | r:c ∈ R }
Slide 46 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
cr(a, b) is attenuating if:
1 crC(a, b) ⊆ crP(a, b) and 2 a/r:c ∈ crP(a, b) ⇒ self /r:c ∈ crP(a, b)
Slide 47 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
Users can create files, creator can give itself any inert rights
cc = {(user, file)} cr(user, file) = { file/r:c | r ∈ RI }
Attenuating, as graph is acyclic, loop free user file
Slide 48 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
Say subjects create subjects (type s), objects (type o), but get only inert rights over latter
cc = {(s, s), (s, o)} crC(a, b) = ∅ crP(s, s) = {s/tc, s/gc, s/rc, s/wc} crP(s, o) = {o/rc, o/wc}
Not attenuating, as no self tickets provided; subject creates subject subject
Slide 49 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
Goal: identify types of policies with tractable safety analyses Approach: derive a state in which additional entries, rights do not affect the analysis; then analyze this state
Called a maximal state
Slide 50 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
System begins in initial state Authorized operation causes legal transition Sequence of legal transitions moves system into final state
This sequence is a history Final state is derivable from history, initial state
Slide 51 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
States represented by h Set of subjects SUBh, entities ENT h Link relation in context of state h is linkh Dom relation in context of state h is domh
Slide 52 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
X, Y connected by one link or a sequence of links Formally, either of these hold:
For some i, linkh
i (X, Y); or
There is a sequence of subjects X0, . . . , Xn such that linkh
i (X, X0), linkh i (Xn, Y), and for k = 1, . . . , n,
linkh
i (Xk−1, Xk)
If multiple such paths, refer to pathh
j (X, Y)
Slide 53 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
Set of tickets that can flow over pathh(X, Y)
If linkh
i (X, Y): set of tickets that can be copied over the link
(i.e., fi(τ(X), τ(Y))) Otherwise, set of tickets that can be copied over all links in the sequence of links making up the pathh(X, Y)
Note: all tickets (except those for the final link) must be copyable
Slide 54 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
Idea: capture flow of tickets around a given state of the system Let there be m pathhs between subjects X and Y in state h. Then flow function flowh : SUBh × SUBh → 2T×R is: flowh(X, Y) =
cap(pathh
i (X, Y))
Slide 55 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
Maximizes flow between all pairs of subjects
State is called ∗ Ticket in flow ∗(X, Y) means there exists a sequence of
Questions
Is maximal state unique? Does every system have one?
Slide 56 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
Definition: g ≤0 h holds iff for all X, Y∈ SUB0, flowg(X, Y) ⊆ flowh(X, Y)
Note: if g ≤0 h and h ≤0 g, then g, h are equivalent states Defines set of equivalence classes on set of derivable states
Definition: for a given system, state m is maximal iff h ≤0 m for every derivable state h Intuition: flow function contains all tickets that can be transferred from one subject to another
All maximal states in same equivalence class, answering first question (uniqueness of maximal state)
Slide 57 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
derivable state m such that for all h ∈ H, h ≤0 m
Slide 58 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
By induction on the size of H
BASIS: For H = ∅, |H| = 0, claim is trivially true INDUCTION HYPOTHESIS: For |H| = n, claim holds INDUCTION STEP: |H′| = n + 1, where H′ = G ∪ {h}. By
hypothesis, there is a g ∈ G such that x ≤0 g for all x ∈ G Let M be an interleaving of histories of g, h, which: Preserves relative order of transitions in g, h Omits second create operation if duplicated M ends up in state m If pathg(X, eY ) for X, Y ∈ SUBg, pathm(X, Y), so g ≤0 m If pathh(X, eY ) for X, Y ∈ SUBh, pathm(X, Y), so h ≤0 m Hence m is a maximal state in H′
Slide 59 ECS 235B, Foundations of Information and Computer Security January 16, 2014
Outline Security Protection Systems SPM
Theorem: every system has a maximal state ∗ Outline of proof: Let K be the set of derivable states containing exactly one state from each equivalence class of derivable states Let X, Y ∈ SUB0. Flow function’s range is 2T×R, so it can take on at most |2T×R| values. There are |SUB0|2 pairs of subjects in SUB0 So at most |2T×R| |SUB0|2 distinct equivalence classes So K is finite So the lemma’s conditions hold, giving the answer “yes”
Slide 60 ECS 235B, Foundations of Information and Computer Security January 16, 2014